Analysis of Mobility Algorithms for Forensic Virtual Machine Based Malware Detection

Forensic Virtual Machines are a new technology that replaces signature-based malware detection for the cloud. Forensic Virtual Machines are mini-VMs which are used to identify symptoms of malicious behaviour on customer VMs. Scanning using these mini-VMs consumes less resources than a full scan would and their small size reduces the possibility of the FVMs themselves containing vulnerabilities. A mobility algorithm embedded in every FVM specifies how it chooses which customer VM to scan. Although multiple scanning strategies have been introduced, there is no work which provides a comparison of these strategies. In this paper, we develop a probabilistic approach which tells us which strategy is best for a given cloud environment and particular family of malware. Our framework uses Bayesian probability in addition to a malware knowledge base in order to simulate the scanning process of a number of FVMs.